Hi All.Need assisstance on this issue.I am working on ASA 8.2. We have a public block for customer 199.199.199.0/24 pointed to ASA . Now customer wants access from 199.199.199.21 to 199.199.199.15 . He is coming from private ip address 10.1.100.58 trying to access public ip address 199.199.199.15.But its not working. Subnet 199.199.199.0/24 is NATed and on ASA its learned via default i.e OUTSIDE .Customer cannot access the public ip address 199.199.199.15 ,as he is coming from 10.1.100.58 then NATed to 199.199.199.21 .So its like,he is coming on Outside interface and going to Outside interface. This setup is not working.   Below is the rough setup: C    10.1.100.0 255.255.255.0 is directly connected, inside C    10.1.200.0 255.255.252.0 is directly connected, dmz   static (inside,outside) 199.199.199.21 10.1.100.58 netmask 255.255.255.255  static (dmz,outside) 199.199.199.15 10.1.200.15 netmask 255.255.255.255    nat (inside) 0 access-list nat_exempt nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 1 0.0.0.0 0.0.0.0 nat (VPN-zone) 1 0.0.0.0 0.0.0.0 global (outside) 1 interface   access-list nat_exempt extended permit ip any host 199.199.199.15 log      ... View more

Hi,I was working on L2L VPN config,and had some doubt   Now,the default hierarchy of how a Policy is applied for RA VPN goes - Dynamic Access Policy ,User Profile Policy,Specific Group Policy for that User,Connection Profile Group Policy,Default Group Policy.I am not sure if such hierarchy applies to L2L VPN.   I have a Crypto ACL name outside_crypto_10 .And under Tunnel-group i have Group-Policy called TEST_FILTER .And under that Group-Policy i have a vpn-filter value TEST_FILTER.   My question is,when the traffic is generated which matches the outside_crypto_10 ACL ,it will go via tunnel. If the traffic doesn't match anything in outside_crypto_10 ACL ,will it look that under vpn-filter "TEST_FILTER" ? If yes, in what direction should we have the ACL in "TEST_FILTER" defined,like access-list TEST_FILTER extended permit ip (Internal Network )  (Peer End Network) or vice-versa access-list TEST_FILTER extended permit ip  (Peer End Network) (Internal Network ) . Should we be needing the Interface ACL,no NAT,Outside ACL. Also i read in the hierarchy of how a Policy is applied for RA VPN ,if it finds a matching parameter it will by-pass the parameters under it for that. Like if it finds a matching Dynamic Access Policy for a User,it will not look it again under User Profile Policy,Specific Group Policy for that User,Connection Profile Group Policy,Default Group Policy . So will such case happen with the L2L VPN ? Like if it finds a Crypto ACL ,will it bypass the TEST_FILTER or will consider that too ?   crypto map outside_map 10 match address outside_crypto_10 crypto map outside_map 10 set pfs  crypto map outside_map 10  set peer 2.2.2.2 crypto map outside_map 10 set ikev1 transform-set aes-256-sha crypto map outside_map 10 set security-association lifetime seconds 3600 ` tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 general-attributes  default-group-policy TEST_FILTER tunnel-group 2.2.2.2 ipsec-attributes  ikev1 pre-shared-key *****   group-policy TEST_FILTER internal group-policy TEST_FILTER attributes  vpn-filter value TEST_FILTER ... View more

Can you explain with Command,how to Add single user in Multiple Group-policy.We have local user authentication.9.1 ASA.   ... View more